From 3652cc5c87c5acb5f69b06958ce6f6348530c69e Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Tue, 25 Apr 2017 13:06:52 +0100
Subject: [PATCH] Drop invalid packets

---
 src/freedombone-utils-firewall | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/freedombone-utils-firewall b/src/freedombone-utils-firewall
index 3b44daf5..8d435ff3 100755
--- a/src/freedombone-utils-firewall
+++ b/src/freedombone-utils-firewall
@@ -136,8 +136,15 @@ function configure_firewall {
     iptables -A INPUT -i lo -j ACCEPT
     iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
 
+    # Drop invalid packets
+    iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
+
     # Make sure incoming tcp connections are SYN packets
     iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
+    iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
+
+    # Drop SYN packets with suspicious MSS value
+    iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
 
     # Drop packets with incoming fragments
     iptables -A INPUT -f -j DROP